Create the App with a temporary Single Sign On URL. You will get the real URL later during the Sumo Logic configuration, and come back to change it. The Audience URI (SP Entity ID) value is your own unique identifier. Leave the rest of the options as default.

Click Next.

For App Type select the check box This is an internal application that we created, to avoid publishing to third parties and Okta Verification.

Click Finish.

SSO parameters are now available. Click View Setup Instructions.

Keep this tab open; it has the configuration parameters required for Sumo Logic SAML configuration.

Configure SAML in Sumo Logic

Log into Sumo Logic as an administrator.

Go to Administration > Security > SAML.

Click the plus (+) icon to create a new configuration.

The Add Configuration page appears.

Configuration Name.Type the name of the SSO policy (or another name used internally to describe the policy).

Debug Mode. Select this option if you'd like to view additional details when an error occurs. For more information, see View SAML Debug Information.

Issuer. Type the unique URL associated with your organization's SAML IdP. This is the Identity Provider Issuer from Step 12 in the previous section.

X.509 Certificate.Copy and paste your organization's X.509 certificate, which is used to verify signatures in SAML assertions. This is the Certificate, also from Step 12.

Attribute Mapping. Click Use SAML subject.

SP Initiated Login Configuration.Activate the check box.

Copy the unique hash from the Issuer URL and paste it into the Login Path field.

Authn Request URL. Leave this blank.

Disable Requested Authn Context. If you check this option, Sumo will not include the RequestedAuthnContext element of the SAML AuthnRequests it sends to your Idp. This option is useful if your IdP does not support the RequestedAuthnContext element.

(Optional) Sign Authn Request. If you select this option, Sumo will send signed Authn requests to your IdP. When you click this option, a Sumo-provided X-509 certificate is displayed. You can configure your IDP with this certificate, to use to verify the signature of the Authn requests sent by Sumo.

Roles Attribute. When you click this option, Roles Attribute field appears. Enter the SAML Attribute Name that is sent by the IdP as part of the assertion. For details, see Set Up SAML for Single Sign-On.

On Demand Provisioning. Select this option to have Sumo Logic automatically create accounts when a user first logs on. For more information, see Set Up SAML for Single Sign-On.

Last Name. Enter lastName.

First Name. Enter firstName.

On Demand Provisioning Roles. Specify the Sumo RBAC roles you want to assign when user accounts are provisioned. (The roles must exist in Sumologic).

Logout Page.Select this option and enter a URL if you'd like to point all users to the URL after logging out of Sumo Logic. For more information, see Set Up SAML for Single Sign-On.

Click Add.

View the summary of the SAML configuration parameters. Leave this dialog open so that you can use these settings in Okta.

Add Sumo Logic SAML Settings to Okta

Go back to the Okta Admin Panel.

Go to the General tab.

Under SAML Settings, click Edit.

Click Next.

Change the Single Sign On URL to the Assertion Consumer value from your Sumo Logic SAML settings.

Deselect the check box Use this for Recipient URL and Destination URL.

For both Recipient URL and Destination URL, use the Authentication Request value from your Sumo Logic SAML settings.

Click Next and then Finish.

Sumo Logic is now linked with Okta. Just remember to add all Okta users to the Sumo Logic Application in Okta.

To populate the first and last name values for users created in Sumo Logic, add two new entries to the Attribute Statements section. If these attributes are not defined, the users email address will be used in place of the first name in Sumo Logic. In this example, the First Name attribute is called "givenName" and the lastname is called "sn" in Okta. These same attributes must be specified in Sumo Logic under Roles > On Demand Provisioning > First Name Attribute & Last Name Attribute.

Example from Edit SAML Configuration in Okta:

Add Okta users to the Sumo Logic App in Okta

In Okta, go to the People tab.

To create a new user, click Add.

Enter the user’s details, then click Add Person.

Go to the Application tab.

Click the Assign Applications button.

Assign new users to the application.

Activate the new Okta Account via the automated email.

Login to Okta.

Click the application that you created and log into the Sumo Logic App in Okta.

Create Multiple SAML Configurations

You can create multiple SAML configurations in Sumo. To create an additional SAML configuration, click the plus (+) icon to create a new configuration. Enter the settings for the new configuration, as described the previous section.

Check SAML Usage

If you intend to require Sumo users to sign-in using SAML, as described in the following section, Require SAML for sign-in, it is a best practice to first check whether some users are still logging in directly, instead of using SAML. You can run the following query to see, for a particular time range, whether users signed in using SAML or with their username and password:

_index=sumologic_audit action=login | count by class, sourceuser

This query depends upon data in the Sumo audit index. If the audit index is not enabled, the query will not return results. To enable the index, follow the instructions in Enable and Manage the Audit Index.

The query results show, for each user that has accessed Sumo over the time range, the number of times they have logged in using SAML or by entering a Sumo username and password. In the class column:

"SAML" indicates the user signed in using SAML.

"SESSION" indicates the user authenticated by entering a username and password.

If the same user accessed Sumo using both methods (SAML and direct logon) during the time range, the query results will include a row for each method, showing how many times each method was used.

Require SAML for sign-in

After you create a SAML configuration, you can require users to sign in using SAML and prevent users from bypassing SAML with a username and password for login. Before you do so, follow the instructions in Check SAML Usage.

Click Require SAML Sign In to require users to sign in using SAML.

After you lock down SAML, any new users you whitelist will have to select Forgot Password from the login screen to recover their credentials. This is because a SAML-locked down user does NOT have a password.

Sumo automatically adds your account under Allow these users to sign in using passwords in addition to SAML as a whitelisted user as a preventative measure to ensure you’re still able to access Sumo if you run into issues.

Having only one user able to bypass SAML may not be convenient or practical if you have a global company or a large team. You can add additional whitelisted users by clicking the (+) icon by Allow these users to sign in using passwords in addition to SAML:

We do not recommend denying all users password access to Sumo even if you want to enforce log in by SAML. If you attempt to delete your last remaining whitelisted user, you will receive a warning that this is not a recommended practice:

SAML lockdown and user login email address updates

Once you configure Sumo to require users to use SAML for signing into Sumo, you will be unable to change a user's login email address. To change a user's login email address, you must toggle off the Require SAML Sign In option, change the password, and then turn Require SAML Sign In back on.

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.